1. What is the user used to execute the sleep process within the ubuntu-sleeper pod? In the current(default) namespace
컨테이너 실행 유저 확인법.
controlplane ~ ➜ kubectl exec ubuntu-sleeper -- whoami
root
answer : root
2. Edit the pod ubuntu-sleeper to run the sleep process with user ID 1010. Note: Only make the necessary changes. Do not modify the name or image of the pod.
Configure a Security Context for a Pod or Container
A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to: Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and gro
kubernetes.io
Security-context 에서 runAsUser를 사용하여 pod 생성.
---
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- "4800"
image: ubuntu
name: ubuntu-sleeper
controlplane ~ ✖ k delete po ubuntu-sleeper --force
Warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "ubuntu-sleeper" force deleted
controlplane ~ ✖ k apply -f ubuntu-sleeper.yaml
pod/ubuntu-sleeper created
3. A Pod definition file named multi-pod.yaml is given. With what user are the processes in the web container started? The pod is created with multiple containers and security contexts defined at the Pod and Container level.
apiVersion: v1
kind: Pod
metadata:
name: multi-pod
spec:
securityContext:
runAsUser: 1001
containers:
- image: ubuntu
name: web
command: ["sleep", "5000"]
securityContext:
runAsUser: 1002
- image: ubuntu
name: sidecar
command: ["sleep", "5000"]
answer : 1002
4. With what user are the processes in the sidecar container started? The pod is created with multiple containers and security contexts defined at the Pod and Container level.
answer : 1001
5. Update pod ubuntu-sleeper to run as Root user and with the SYS_TIME capability. Note: Only make the necessary changes. Do not modify the name of the pod.
Configure a Security Context for a Pod or Container
A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to: Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and gro
kubernetes.io
controlplane ~ ➜ k delete po ubuntu-sleeper --force
Warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "ubuntu-sleeper" force deleted
controlplane ~ ➜ vi ubuntu-sleeper2.yaml
---
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
containers:
- command:
- sleep
- "4800"
image: ubuntu
name: ubuntu-sleeper
securityContext:
capabilities:
add: ["SYS_TIME"]
---
controlplane ~ ➜ k apply -f ubuntu-sleeper2.yaml
pod/ubuntu-sleeper created
6. Now update the pod to also make use of the NET_ADMIN capability. Note: Only make the necessary changes. Do not modify the name of the pod.
---
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
containers:
- command:
- sleep
- "4800"
image: ubuntu
name: ubuntu-sleeper
securityContext:
capabilities:
add: ["SYS_TIME", "NET_ADMIN"]
controlplane ~ ➜ k apply -f ubuntu-sleeper2.yaml
pod/ubuntu-sleeper created
'IT 기술 > k8s' 카테고리의 다른 글
| [cka] Persistent Volume Claims (0) | 2024.07.28 |
|---|---|
| [cka] Network Policies (0) | 2024.07.28 |
| [cka] Image Security (0) | 2024.07.28 |
| [cka] Service Accounts (0) | 2024.07.28 |
| [cka] Cluster Roles (0) | 2024.07.28 |
댓글